Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 101

    Page 101 CHAPTER 4 Set Up Inline Posture •RoleofInlinePostureNodeinaCiscoISEDeployment,page55 •BestPracticesforInlinePostureDeployment,page62 •InlinePostureNodeGuidelines,page63 •InlinePostureNodeAuthorization,page66 •DeployanInlinePostureNode,page68 •ConfigureaHigh-AvailabilityPair,page73 •ConfigureInlinePostureNodeasRADIUSClientinAdministrationNode,page75 •RemoveanInlinePostureNodefromDeployment,page76 •HealthofanInlinePostureNode,page76 •RemoteAccessVPNUseCase,page77 •CollectionofInlinePostureNodeLogs,page78... 
    CHAPTER 4
Set Up Inline Posture
•RoleofInlinePostureNodeinaCiscoISEDeployment,page55
•BestPracticesforInlinePostureDeployment,page62
•InlinePostureNodeGuidelines,page63
•InlinePostureNodeAuthorization,page66
•DeployanInlinePostureNode,page68
•ConfigureaHigh-AvailabilityPair,page73
•ConfigureInlinePostureNodeasRADIUSClientinAdministrationNode,page75
•RemoveanInlinePostureNodefromDeployment,page76
•HealthofanInlinePostureNode,page76
•RemoteAccessVPNUseCase,page77
•CollectionofInlinePostureNodeLogs,page78...

    Page 102

    Page 102 Inline Posture Policy Enforcement InlinePostureusesRADIUSproxyandURLredirectcapabilitiesinthecontrolplanetomanagedataplane trafficforendpoints.AsaRADIUSproxy,InlinePostureisabletotapintoRADIUSsessionsbetweennetwork accessdevices(NADs)andRADIUSservers.NADscanopenfullgatetoclienttraffic.However,Inline Postureopensonlyenoughtoallowlimitedtrafficfromclients.Therestrictedbandwidthallowsclientsthe abilitytohaveanagentprovisioned,postureassessed,andremediationcompleted.Thisrestrictionis... 
    Inline Posture Policy Enforcement
InlinePostureusesRADIUSproxyandURLredirectcapabilitiesinthecontrolplanetomanagedataplane
trafficforendpoints.AsaRADIUSproxy,InlinePostureisabletotapintoRADIUSsessionsbetweennetwork
accessdevices(NADs)andRADIUSservers.NADscanopenfullgatetoclienttraffic.However,Inline
Postureopensonlyenoughtoallowlimitedtrafficfromclients.Therestrictedbandwidthallowsclientsthe
abilitytohaveanagentprovisioned,postureassessed,andremediationcompleted.Thisrestrictionis...

    Page 103

    Page 103 3TheInlinePosturenode,actingasaRADIUSproxy,relaystheAccess-RequestmessagetotheRADIUS server. 4Afterauthenticatingtheuser,theRADIUSserversendsaRADIUSAccess-Acceptmessagebacktothe InlinePosturenode. TherecanbeanumberofRADIUStransactionsbetweentheEndpoint,WLC,InlinePosturenode,and theCiscoISERADIUSserverbeforetheAccess-Acceptmessageissent.Theprocessdescribedinthis examplehasbeensimplifiedforthesakeofbrevity. 5TheInlinePosturenodepassestheAccess-AcceptmessagetotheWLC,whichinturnauthorizesthe... 
    3TheInlinePosturenode,actingasaRADIUSproxy,relaystheAccess-RequestmessagetotheRADIUS
server.
4Afterauthenticatingtheuser,theRADIUSserversendsaRADIUSAccess-Acceptmessagebacktothe
InlinePosturenode.
TherecanbeanumberofRADIUStransactionsbetweentheEndpoint,WLC,InlinePosturenode,and
theCiscoISERADIUSserverbeforetheAccess-Acceptmessageissent.Theprocessdescribedinthis
examplehasbeensimplifiedforthesakeofbrevity.
5TheInlinePosturenodepassestheAccess-AcceptmessagetotheWLC,whichinturnauthorizesthe...

    Page 104

    Page 104 havealreadybeeninstalledontheInlinePosturenode.Thesubsequentendpointauthenticationandauthorization usestheexistinginstalledprofilesontheInlinePosturenode,unlesstheoriginalprofileshavebeenmodified duringtheCiscoISEpolicyconfiguration.Inthelattercase,themodifiedprofilewithACLisdownloaded andinstalledontheInlinePosturenode,replacingthepreviousversion. Trusted and Untrusted Interfaces ThefollowingterminologyplaysasignificantroleinInlinePosturedeployment:... 
    havealreadybeeninstalledontheInlinePosturenode.Thesubsequentendpointauthenticationandauthorization
usestheexistinginstalledprofilesontheInlinePosturenode,unlesstheoriginalprofileshavebeenmodified
duringtheCiscoISEpolicyconfiguration.Inthelattercase,themodifiedprofilewithACLisdownloaded
andinstalledontheInlinePosturenode,replacingthepreviousversion.
Trusted and Untrusted Interfaces
ThefollowingterminologyplaysasignificantroleinInlinePosturedeployment:...

    Page 105

    Page 105 Theeth2andeth3interfacesofbothnodescommunicatewithheartbeatprotocolexchangestodeterminethe healthofthenodes.EachInlinePosturenodehasitsownphysicalIPaddressesonthetrustedanduntrusted Ethernetinterfaces,butaseparateserviceIPaddressmustbeassignedtotheclusterasawhole. TheserviceIPaddress,alsocalledavirtualIPaddress,isrequiredforRADIUSauthenticationpurposes. YouassigntheserviceIPaddresstoboththetrustedanduntrustedinterfacesforbothnodesofthe... 
    Theeth2andeth3interfacesofbothnodescommunicatewithheartbeatprotocolexchangestodeterminethe
healthofthenodes.EachInlinePosturenodehasitsownphysicalIPaddressesonthetrustedanduntrusted
Ethernetinterfaces,butaseparateserviceIPaddressmustbeassignedtotheclusterasawhole.
TheserviceIPaddress,alsocalledavirtualIPaddress,isrequiredforRADIUSauthenticationpurposes.
YouassigntheserviceIPaddresstoboththetrustedanduntrustedinterfacesforbothnodesofthe...

    Page 106

    Page 106 Inline Posture Routed Mode TheInlinePostureroutedmodeactsasaLayer3“hop”inthewire,selectivelyforwardingpacketstospecified addresses.Thismodeprovidestheabilitytosegregatenetworktraffic,allowingyoutospecifyuserswhohave accesstoselecteddestinationaddresses. Inroutedmode,theInlinePosturenodeoperatesasaLayer3router,andbecomesthedefaultgatewayfor theuntrustednetworkwithitsmanagedclients.Alltrafficbetweentheuntrustedandtrustednetworkspasses... 
    Inline Posture Routed Mode
TheInlinePostureroutedmodeactsasaLayer3“hop”inthewire,selectivelyforwardingpacketstospecified
addresses.Thismodeprovidestheabilitytosegregatenetworktraffic,allowingyoutospecifyuserswhohave
accesstoselecteddestinationaddresses.
Inroutedmode,theInlinePosturenodeoperatesasaLayer3router,andbecomesthedefaultgatewayfor
theuntrustednetworkwithitsmanagedclients.Alltrafficbetweentheuntrustedandtrustednetworkspasses...

    Page 107

    Page 107 Inbridgedmode,theInlinePosturenodeoperatesasastandardEthernetbridge.Thisconfigurationistypically usedwhentheuntrustednetworkalreadyhasagateway,andyoudonotwanttochangetheexisting configuration. ThefollowingfigureshowstheInlinePosturenodeactingasabridgefortheLayer2clienttrafficfromthe WLCtotheCiscoISEnetwork,managedbythePolicyServicenode.Inthisconfiguration,InlinePosture requiressubnetentriesforthe10.20.80.0/24and10.20.90.0/24subnetstobeabletorespondtoandsend... 
    Inbridgedmode,theInlinePosturenodeoperatesasastandardEthernetbridge.Thisconfigurationistypically
usedwhentheuntrustednetworkalreadyhasagateway,andyoudonotwanttochangetheexisting
configuration.
ThefollowingfigureshowstheInlinePosturenodeactingasabridgefortheLayer2clienttrafficfromthe
WLCtotheCiscoISEnetwork,managedbythePolicyServicenode.Inthisconfiguration,InlinePosture
requiressubnetentriesforthe10.20.80.0/24and10.20.90.0/24subnetstobeabletorespondtoandsend...

    Page 108

    Page 108 Inthisexample,theuntrustedIPaddressforInlinePosture1canbe10.20.70.101,andtheuntrustedIPaddress forInlinePosture2canbe10.20.70.102.However,theserviceIPaddressforbothnodesontheuntrustedside ofthenetworkwouldbe10.20.70.100.TheactiveInlinePosturenodeinthepair,atanypointoftime,assumes theserviceIPaddressontheuntrustedsideofthenetwork.Thesameholdstrueforthetrustedsideofthe network. Figure 7: Inline Posture High-Availability Routed Mode Configuration... 
    Inthisexample,theuntrustedIPaddressforInlinePosture1canbe10.20.70.101,andtheuntrustedIPaddress
forInlinePosture2canbe10.20.70.102.However,theserviceIPaddressforbothnodesontheuntrustedside
ofthenetworkwouldbe10.20.70.100.TheactiveInlinePosturenodeinthepair,atanypointoftime,assumes
theserviceIPaddressontheuntrustedsideofthenetwork.Thesameholdstrueforthetrustedsideofthe
network.
Figure 7: Inline Posture High-Availability Routed Mode Configuration...

    Page 109

    Page 109 InlinePosturematchestheMAC,MACandIP,orsubnetaddresstodeterminewhetherthebypass functionisenabledforadevice.Youcanchoosetobypasspolicyenforcementortoforciblyblock access. DonotconfiguretheMACaddressinaMACfilterforadirectlyconnectedASAVPN devicewithoutalsoenteringtheIPaddress.WithouttheadditionoftheoptionalIP address,VPNclientsareallowedtobypasspolicyenforcement.Thisbypasshappens becausetheVPNisaLayer3hopforclients,andthedeviceusesitsownMACaddress... 
    InlinePosturematchestheMAC,MACandIP,orsubnetaddresstodeterminewhetherthebypass
functionisenabledforadevice.Youcanchoosetobypasspolicyenforcementortoforciblyblock
access.
DonotconfiguretheMACaddressinaMACfilterforadirectlyconnectedASAVPN
devicewithoutalsoenteringtheIPaddress.WithouttheadditionoftheoptionalIP
address,VPNclientsareallowedtobypasspolicyenforcement.Thisbypasshappens
becausetheVPNisaLayer3hopforclients,andthedeviceusesitsownMACaddress...

    Page 110

    Page 110 1TheInlinePosturenodeissupportedonlyonCiscoISE-3300seriesandSNS-3415appliances.Itisnot currentlysupportedonCiscoSNS-3495applianceorasavirtualappliance. 2InlinePostureisunabletorunconcurrentlywithAdministration,PolicyService,orMonitoringpersonas and,therefore,isadedicatednode. 3AnInlinePosturenodemustberegisteredtothePANonyournetwork. 4ForeachdeploymentinstanceofanInlinePosturenode,youcandeployastandalonenode,oran active-standbypair.... 
    1TheInlinePosturenodeissupportedonlyonCiscoISE-3300seriesandSNS-3415appliances.Itisnot
currentlysupportedonCiscoSNS-3495applianceorasavirtualappliance.
2InlinePostureisunabletorunconcurrentlywithAdministration,PolicyService,orMonitoringpersonas
and,therefore,isadedicatednode.
3AnInlinePosturenodemustberegisteredtothePANonyournetwork.
4ForeachdeploymentinstanceofanInlinePosturenode,youcandeployastandalonenode,oran
active-standbypair....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals